Skip to main content

October CMS CVE-2026-26274

| EUVDEUVD-2026-24155 MEDIUM
Incomplete List of Disallowed Inputs (CWE-184)
2026-04-21 GitHub_M GHSA-h6jm-f4hh-fw27
6.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:08 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:01 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24155
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:16 nvd
MEDIUM 6.6

DescriptionGitHub Advisory

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.

AnalysisAI

October CMS versions prior to 3.7.14 and 4.1.10 allow backend developers with Developer permissions to bypass Twig sandbox restrictions and execute unauthorized database write operations (insert, update, delete) via the query builder when cms.safe_mode is enabled. This privilege escalation vulnerability enables data manipulation on any database table despite sandbox security policies intended to restrict template functionality.

Technical ContextAI

October CMS implements a Twig sandbox security policy to restrict dangerous operations in template markup when cms.safe_mode is enabled. The vulnerability exists in how the sandbox allow-list configuration handles the query builder object, which is intended for read-only template operations but exposes write methods (insert, update, delete) that can manipulate any database table. CWE-184 (Incomplete Filtering of Information within a Search Result) indicates the root cause involves incomplete enforcement of access controls - the sandbox filters certain Twig functions but fails to restrict the full API surface of the whitelisted query builder component, allowing write operations to bypass intended restrictions.

RemediationAI

Vendor-released patch: October CMS 3.7.14 and 4.1.10. Update immediately to these versions or later. Organizations unable to patch promptly should implement the following compensating controls: (1) Disable cms.safe_mode in production if not required for your deployment - this completely eliminates Twig sandbox attack surface but sacrifices template operation restrictions, increasing risk if untrusted template code is executed; (2) Restrict Developer role permissions to a minimal set of trusted administrators and implement strong authentication (MFA) for backend accounts with Developer access; (3) Audit database access logs and Twig template modifications for suspicious activity; (4) Apply principle of least privilege at the database layer by creating separate read-only accounts for template execution if possible, though this may require October core modifications. The patch should be prioritized as high-urgency given the direct impact to data integrity.

CVE-2017-1000119 HIGH POC
7.2 Oct 05

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise

CVE-2021-3311 CRITICAL POC
9.8 Feb 05

An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2021-32648 CRITICAL POC
9.1 Aug 26

octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2017-16244 HIGH POC
8.8 Nov 01

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po

CVE-2022-21705 HIGH POC
7.2 Feb 23

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner

CVE-2018-7198 MEDIUM POC
6.1 Feb 18

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu

CVE-2017-1000196 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis

CVE-2017-1000197 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating

CVE-2017-1000194 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site

CVE-2017-15284 MEDIUM POC
5.4 Oct 12

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil

CVE-2015-5613 MEDIUM POC
5.4 Sep 28

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar

CVE-2023-43876 MEDIUM POC
5.4 Sep 28

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w

Share

CVE-2026-26274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy